[dependencies] Update golangci/golangci-lint-action action to v8

Signed-off-by: 愚者 <11926619+FansChou@users.noreply.github.com>

common/sniff/ntp.go

@@ -0,0 +1,58 @@
+package sniff
+
+import (
+	"context"
+	"encoding/binary"
+	"os"
+
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+)
+
+func NTP(ctx context.Context, metadata *adapter.InboundContext, packet []byte) error {
+	// NTP packets must be at least 48 bytes long (standard NTP header size).
+	pLen := len(packet)
+	if pLen < 48 {
+		return os.ErrInvalid
+	}
+	// Check the LI (Leap Indicator) and Version Number (VN) in the first byte.
+	// We'll primarily focus on ensuring the version is valid for NTP.
+	// Many NTP versions are used, but let's check for generally accepted ones (3 & 4 for IPv4, plus potential extensions/customizations)
+	firstByte := packet[0]
+	li := (firstByte >> 6) & 0x03 // Extract LI
+	vn := (firstByte >> 3) & 0x07 // Extract VN
+	mode := firstByte & 0x07      // Extract Mode
+
+	// Leap Indicator should be a valid value (0-3).
+	if li > 3 {
+		return os.ErrInvalid
+	}
+
+	// Version Check (common NTP versions are 3 and 4)
+	if vn != 3 && vn != 4 {
+		return os.ErrInvalid
+	}
+
+	// Check the Mode field for a client request (Mode 3).  This validates it *is* a request.
+	if mode != 3 {
+		return os.ErrInvalid
+	}
+
+	// Check Root Delay and Root Dispersion. While not strictly *required* for a request,
+	// we can check if they appear to be reasonable values (not excessively large).
+	rootDelay := binary.BigEndian.Uint32(packet[4:8])
+	rootDispersion := binary.BigEndian.Uint32(packet[8:12])
+
+	// Check for unreasonably large root delay and dispersion.  NTP RFC specifies max values of approximately 16 seconds.
+	// Convert to milliseconds for easy comparison.  Each unit is 1/2^16 seconds.
+	if float64(rootDelay)/65536.0 > 16.0 {
+		return os.ErrInvalid
+	}
+	if float64(rootDispersion)/65536.0 > 16.0 {
+		return os.ErrInvalid
+	}
+
+	metadata.Protocol = C.ProtocolNTP
+
+	return nil
+}

common/sniff/ntp_test.go

@@ -0,0 +1,33 @@
+package sniff_test
+
+import (
+	"context"
+	"encoding/hex"
+	"os"
+	"testing"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/common/sniff"
+	C "github.com/sagernet/sing-box/constant"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSniffNTP(t *testing.T) {
+	t.Parallel()
+	packet, err := hex.DecodeString("1b0006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+	require.NoError(t, err)
+	var metadata adapter.InboundContext
+	err = sniff.NTP(context.Background(), &metadata, packet)
+	require.NoError(t, err)
+	require.Equal(t, metadata.Protocol, C.ProtocolNTP)
+}
+
+func TestSniffNTPFailed(t *testing.T) {
+	t.Parallel()
+	packet, err := hex.DecodeString("400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
+	require.NoError(t, err)
+	var metadata adapter.InboundContext
+	err = sniff.NTP(context.Background(), &metadata, packet)
+	require.ErrorIs(t, err, os.ErrInvalid)
+}

dns/client.go

@@ -34,6 +34,7 @@ type Client struct {
 	disableCache     bool
 	disableExpire    bool
 	independentCache bool
+	clientSubnet     netip.Prefix
 	rdrc             adapter.RDRCStore
 	initRDRCFunc     func() adapter.RDRCStore
 	logger           logger.ContextLogger
@@ -47,6 +48,7 @@ type ClientOptions struct {
 	DisableExpire    bool
 	IndependentCache bool
 	CacheCapacity    uint32
+	ClientSubnet     netip.Prefix
 	RDRC             func() adapter.RDRCStore
 	Logger           logger.ContextLogger
 }
@@ -57,6 +59,7 @@ func NewClient(options ClientOptions) *Client {
 		disableCache:     options.DisableCache,
 		disableExpire:    options.DisableExpire,
 		independentCache: options.IndependentCache,
+		clientSubnet:     options.ClientSubnet,
 		initRDRCFunc:     options.RDRC,
 		logger:           options.Logger,
 	}
@@ -104,8 +107,12 @@ func (c *Client) Exchange(ctx context.Context, transport adapter.DNSTransport, m
 		return &responseMessage, nil
 	}
 	question := message.Question[0]
-	if options.ClientSubnet.IsValid() {
-		message = SetClientSubnet(message, options.ClientSubnet)
+	clientSubnet := options.ClientSubnet
+	if !clientSubnet.IsValid() {
+		clientSubnet = c.clientSubnet
+	}
+	if clientSubnet.IsValid() {
+		message = SetClientSubnet(message, clientSubnet)
 	}
 	isSimpleRequest := len(message.Question) == 1 &&
 		len(message.Ns) == 0 &&

dns/router.go

@@ -55,6 +55,7 @@ func NewRouter(ctx context.Context, logFactory log.Factory, options option.DNSOp
 		DisableExpire:    options.DNSClientOptions.DisableExpire,
 		IndependentCache: options.DNSClientOptions.IndependentCache,
 		CacheCapacity:    options.DNSClientOptions.CacheCapacity,
+		ClientSubnet:     options.DNSClientOptions.ClientSubnet.Build(netip.Prefix{}),
 		RDRC: func() adapter.RDRCStore {
 			cacheFile := service.FromContext[adapter.CacheFile](ctx)
 			if cacheFile == nil {

docs/configuration/dns/index.md

@@ -1,7 +1,11 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
+!!! quote "Changes in sing-box 1.12.0"
+
+    :material-decagram: [servers](#servers)
+
 !!! quote "Changes in sing-box 1.11.0"
 
     :material-plus: [cache_capacity](#cache_capacity)

docs/configuration/dns/index.zh.md

@@ -1,7 +1,11 @@
 ---
-icon: material/new-box
+icon: material/alert-decagram
 ---
 
+!!! quote "sing-box 1.12.0 中的更改"
+
+    :material-decagram: [servers](#servers)
+
 !!! quote "sing-box 1.11.0 中的更改"
 
     :material-plus: [cache_capacity](#cache_capacity)

docs/configuration/route/sniff.md

@@ -22,6 +22,7 @@ If enabled in the inbound, the protocol and domain name (if present) of by the c
 |   UDP   |    `dtls`    |      /      |        /         |
 |   TCP   |    `ssh`     |      /      | SSH Client Name  |
 |   TCP   |    `rdp`     |      /      |        /         |
+|   UDP   |    `ntp`     |      /      |        /         |
 
 |       QUIC Client        |    Type    |
 |:------------------------:|:----------:|

docs/configuration/route/sniff.zh.md

@@ -22,6 +22,7 @@
 |   UDP   |    `dtls`    |      /      |     /      |
 |   TCP   |    `ssh`     |      /      | SSH 客户端名称  |
 |   TCP   |    `rdp`     |      /      |     /      |
+|   UDP   |    `ntp`     |      /      |     /      |
 
 |         QUIC 客户端         |     类型     |
 |:------------------------:|:----------:|

route/route.go

@@ -564,6 +564,7 @@ func (r *Router) actionSniff(
 				sniff.UTP,
 				sniff.UDPTracker,
 				sniff.DTLSRecord,
+				sniff.NTP,
 			}
 		}
 		for {

route/rule/rule_action.go

@@ -379,6 +379,8 @@ func (r *RuleActionSniff) build() error {
 			r.StreamSniffers = append(r.StreamSniffers, sniff.SSH)
 		case C.ProtocolRDP:
 			r.StreamSniffers = append(r.StreamSniffers, sniff.RDP)
+		case C.ProtocolNTP:
+			r.PacketSniffers = append(r.PacketSniffers, sniff.NTP)
 		default:
 			return E.New("unknown sniffer: ", name)
 		}

transport/v2raywebsocket/conn.go

@@ -3,6 +3,7 @@ package v2raywebsocket
 import (
 	"context"
 	"encoding/base64"
+	"errors"
 	"io"
 	"net"
 	"os"
@@ -61,7 +62,7 @@ func (c *WebsocketConn) Close() error {
 func (c *WebsocketConn) Read(b []byte) (n int, err error) {
 	var header ws.Header
 	for {
-		n, err = c.reader.Read(b)
+		n, err = wrapWsError0(c.reader.Read(b))
 		if n > 0 {
 			err = nil
 			return
@@ -95,7 +96,7 @@ func (c *WebsocketConn) Read(b []byte) (n int, err error) {
 }
 
 func (c *WebsocketConn) Write(p []byte) (n int, err error) {
-	err = wsutil.WriteMessage(c.Conn, c.state, ws.OpBinary, p)
+	err = wrapWsError(wsutil.WriteMessage(c.Conn, c.state, ws.OpBinary, p))
 	if err != nil {
 		return
 	}
@@ -146,7 +147,7 @@ func (c *EarlyWebsocketConn) Read(b []byte) (n int, err error) {
 			return 0, c.err
 		}
 	}
-	return c.conn.Read(b)
+	return wrapWsError0(c.conn.Read(b))
 }
 
 func (c *EarlyWebsocketConn) writeRequest(content []byte) error {
@@ -177,12 +178,12 @@ func (c *EarlyWebsocketConn) writeRequest(content []byte) error {
 		conn, err = c.dialContext(c.ctx, &c.requestURL, c.headers)
 	}
 	if err != nil {
-		return err
+		return wrapWsError(err)
 	}
 	if len(lateData) > 0 {
 		_, err = conn.Write(lateData)
 		if err != nil {
-			return err
+			return wrapWsError(err)
 		}
 	}
 	c.conn = conn
@@ -191,7 +192,7 @@ func (c *EarlyWebsocketConn) writeRequest(content []byte) error {
 
 func (c *EarlyWebsocketConn) Write(b []byte) (n int, err error) {
 	if c.conn != nil {
-		return c.conn.Write(b)
+		return wrapWsError0(c.conn.Write(b))
 	}
 	c.access.Lock()
 	defer c.access.Unlock()
@@ -199,9 +200,9 @@ func (c *EarlyWebsocketConn) Write(b []byte) (n int, err error) {
 		return 0, c.err
 	}
 	if c.conn != nil {
-		return c.conn.Write(b)
+		return wrapWsError0(c.conn.Write(b))
 	}
-	err = c.writeRequest(b)
+	err = wrapWsError(c.writeRequest(b))
 	c.err = err
 	close(c.create)
 	if err != nil {
@@ -212,17 +213,17 @@ func (c *EarlyWebsocketConn) Write(b []byte) (n int, err error) {
 
 func (c *EarlyWebsocketConn) WriteBuffer(buffer *buf.Buffer) error {
 	if c.conn != nil {
-		return c.conn.WriteBuffer(buffer)
+		return wrapWsError(c.conn.WriteBuffer(buffer))
 	}
 	c.access.Lock()
 	defer c.access.Unlock()
 	if c.conn != nil {
-		return c.conn.WriteBuffer(buffer)
+		return wrapWsError(c.conn.WriteBuffer(buffer))
 	}
 	if c.err != nil {
 		return c.err
 	}
-	err := c.writeRequest(buffer.Bytes())
+	err := wrapWsError(c.writeRequest(buffer.Bytes()))
 	c.err = err
 	close(c.create)
 	return err
@@ -272,3 +273,23 @@ func (c *EarlyWebsocketConn) Upstream() any {
 func (c *EarlyWebsocketConn) LazyHeadroom() bool {
 	return c.conn == nil
 }
+
+func wrapWsError(err error) error {
+	if err == nil {
+		return nil
+	}
+	var closedErr *wsutil.ClosedError
+	if errors.As(err, &closedErr) {
+		if closedErr.Code == ws.StatusNormalClosure {
+			err = io.EOF
+		}
+	}
+	return err
+}
+
+func wrapWsError0[T any](value T, err error) (T, error) {
+	if err == nil {
+		return value, nil
+	}
+	return common.DefaultValue[T](), wrapWsError(err)
+}